Huntress Managed SIEM provides the ability to save queries and schedule them to run on an interval. This allows users to easily recall frequently used queries and also schedule them to run as needed. Without having a saved query the Query Management page will have little value at first. To save a query, follow the instructions below:
Saving a Query
- From SIEM Dashboard, create a query, then click Search.
Note that the Save button is now available, click Save.
In the Save dialog, enter a descriptive name in the Name field.
- Click Save.
From the navigation bar, click SIEM, then click Query Management.
Review your saved queries.
Creating a Saved Scheduled Query
- From SIEM Dashboard, create a query, then click Search.
- Click Save or Schedule.
If you clicked Save, enable the "Schedule this query" checkbox.
- Select the interval which the query should run.
Note: The query's lookback period is equal to its interval. For example, for 6 hour intervals, the query will retrieve the last 6 hours of results. For a 7 day interval, the query will retrieve the last 7 days of results. - Select the Schedule start date-time.
Note: Due to the interval based lookback period, this is less critical, however it can be helpful for ensure the results are exported for a specific time of day. - Choose the option of whether you would like to be notified if no results are present.
Note: Turning this ON (box checked) will send an email regardless of whether or not results are present. Turning this OFF (box unchecked) will result in no notification unless results are found. - Click Save.
- Click "Manage Searches" to the right of the export button, or select SIEM -> Query Management from the navigation bar.
Please note that if a scheduled query fails to run the scheduled query will be deleted to prevent the query from repeatedly failing. This can happen if your source fails to send data regularly and misses it's next scheduled query time, so please be aware you may need to re-implement saved queries if you take a SIEM source offline.
Receiving Exports
On the start date-time selected, the query will begin running on the interval specified. On completion of the query at each run, an email notification will be sent to the user who configured the scheduled query with a link to the results in the Exported Queries.
The notification is limited to the configuring user, however all scheduled query exports can be accessed from the Exported Queries page by account administrators.
Here is an example of the emailed notification:
Managing Queries
- From the navigation bar, click SIEM, then click Query Management.
- Review the Saved Queries table, specifically the last three columns:
- Last Run At will indicate when (if) the Saved Query was run on a Schedule. It will only record scheduled run's.
- Status will display scheduled if the Saved Query in question is scheduled to run on an interval.
- Actions provide ways to use and interact with the Saved Query.
- Click the three dot icon for a saved query.
- Search Now will open a SIEM Dashboard page with the query preloaded and a default lookback period. The query will automatically begin to run. Adjust the lookback period as necessary.
- Schedule, or Edit Schedule, will allow you to add a schedule to a saved query, or adjust an existing schedule.
View Exports will take you to the Exported Queries page where account administrators can view and download all previous exports.
Note: View Exports will be disabled if the saved query is not scheduled, or if it scheduled but has not run yet, or not produced results.
View Exports is available. View Exports is unavailable.- Delete will delete the saved query.
Exported Queries
The Exported Queries page can be found by navigating to it from the Query Management page.
From here, users can download previously exported queries and saved queries.